This worm spreads over Apache with mod_ssl installation on many Linux platforms using a previously disclosed vulnerability in the OpenSSL library, up to, and including, versions 0.9.6d and 0.9.7 beta 1. It is a modified derivative of the BSD/Scalper worm from which it inherits the propagation strategy. It scans an entire class B subnet created by choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

The worm only attacks specific Linux distributions by sending an initial http request on port 80 and examining the Server: header response. Only if the target server is running one of these distributions the worm proceeds with attacking port 443 (https). Target distributions are:

Linux dist	Apache dist
Gentoo	unknown
Debian	1.3.26
Red-Hat	1.3.6 1.3.9 1.3.12 1.3.19 1.3.20 1.3.26 1.3.23 1.3.22
SuSE	1.3.12 1.3.17 1.3.19 1.3.20 1.3.23
Mandrake	1.3.14 1.3.19 1.3.20 1.3.23
Slackware	1.3.26

Although only these distributions are known to be attacked by the Slapper worm the openSSL vulnerability may affect other platforms as well and new variants may have a broader target range. Note that the vulnerability is not related to the Apache web server or to mod_ssl. To fix the vulnerability it is recommended that users update OpenSSL to the latest version.

On a vulnerable system, the worm uploads itself in the form of a uuencoded source file, decodes it and then compiles the source into an ELF binary. The binary is detected as Unix/Scalper.worm.gen (it does bear certain similarity to BSD/Scalper.worm so they are detected generically). The technique of local recompilation is used to circumvent any potential instability issues when running a Linux binary on different Linux distributions/flavors. The worm relies on the existence and accessibility of a local copy of C compiler. The name and location of the encoded file, decoded source and binary files is given in "Symptoms".

The infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. Any command received by one computer is retransmitted to the other members of the worm network.

Commands received from the P2P network include:

ip4, ip6, tcp, syn, udp, dns flooding

Scan the file system for valid email

Produce multiple copy of itself on the filesystem

Add entries to crontab

Send information about the compromised system to specific email addresses

Presence of the following files:

• tmp/.unlock.c
• tmp/.update.c
• /tmp/.unlock.uu
• /tmp/httpd

This Slapper variant uses the following methods:

• P2P: port 4156 udp is used for control instructions
• Files: /tmp/.unlock.c /tmp/.update.c (source) - /tmp/.unlock.uu (uuencoded) - /tmp/http (bin)
• incorporates additional mailing routine to mail the list of compromised hostnames to the author (aion@ukr.net)
• drops additional backdoor component (/tmp/.update.c) which listens on port 1052 protected with password
• the worm's process name has been changed to "httpd" presumably to disguise itself in the process list

Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

You need to inspect the contents of 'crontab' file and remove unwanted entries.

It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:
Caldera
Debian
FreeBSD
Redhat
Sun
SuSe